tfoman/devops-directive-docker-course
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
devops-directive-docker-course/09-container-security/README.md
Abdelhaq El Amraoui a5d9e5a89c added top nav links to READMEs (#12)
2025-02-16 18:57:05 -05:00

48 lines
2.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[Home](../README.md) | [History and Motivation](../01-history-and-motivation/README.md)
| [Technology Overview](../02-technology-overview/README.md)
| [Installation and Set Up](../03-installation-and-set-up/README.md)
| [Using 3rd Party Containers](../04-using-3rd-party-containers/README.md)
| [Example Web Application](../05-example-web-application/README.md)
| [Building Container Images](../06-building-container-images/README.md)
| [Container Registries](../07-container-registries/README.md)
| [Running Containers](../08-running-containers/README.md)
| [Container Security](../09-container-security/README.md)
| [Interacting with Docker Objects](../10-interacting-with-docker-objects/README.md)
| [Development Workflows](../11-development-workflow/README.md)
| [Deploying Containers](../12-deploying-containers/README.md)
---
# Container Security
There are two main considerations when it comes to container security (1) the contents of your container image and (2) the security of the execution configuration and environment.
## Image Security
*“What vulnerabilities exist in your image that an attacker could exploit?”*
- Keep attack surface area as small as possible:
- Use minimal base images (multi-stage builds are a key enabler)
- Dont install things you dont need (dont install dev deps)
- Scan images!
- Use users with minimal permissions
- Keep sensitive info out of images
- Sign and verify images
- Use fixed image tags, either:
- Pin major.minor (allows patch fixes to be integrated)
- Pin specific image hash
## Runtime Security
*If an attacker successfully compromises a container, what can they do? How difficult will it be to move laterally?*
### Docker daemon (dockerd)
- Start with --userns-remap option(https://docs.docker.com/engine/security/userns-remap/)
### Individual containers:
- Use read only filesystem if writes are not needed
- --cap-drop=all, then --cap-add anything you need
- Limit cpu and memory --cpus=“0.5” --memory 1024m
- Use --security-opt
- seccomp profiles (https://docs.docker.com/engine/security/seccomp/)
- apparmor profiles (https://docs.docker.com/engine/security/apparmor/)
Reference in New Issue View Git Blame Copy Permalink